Vous êtes ici : L'internet rapide et permanent » Virtual Private Network » Open VPN » OpenVPN avec TLS

Les chapitres

Table des matières

OpenVPN avec TLS

Les certificats

Puisque nous savons utiliser TinyCA, autant nous en servir. Nous allons créer avec notre CA un certificat pour aaron (serveur) et un autre pour cyclope (client) et allons les placer, ainsi que leur clé privée, sur leurs destinations respectives.

Nous ne détaillons pas la création de ces certificats, reportez-vous à la page Mise en œuvre avec TinyCA du chapitre Notions de cryptographie.

Nous disposons donc de :

  • bts.eme-cacert.pem le certificat de notre CA ;
  • cyclope.maison.mrs-key.pem la clé privée de cyclope ;
  • cyclope.maison.mrs.pem le certificat de cyclope ;
  • aaron.bts.eme-key.pem la clé privée de aaron ;
  • aaron.bts.eme.pem le certificat de aaron.

Nous posons, par un moyen sécurisé, bts.eme-cacert.pem, cyclope.maison.mrs-key.pem et cyclope.maison.mrs.pem par exemple dans le répertoire de root de cyclope.

Nous posons, par un moyen sécurisé, bts.eme-cacert.pem, aaron.bts.eme-key.pem et aaron.bts.eme.pem par exemple dans le répertoire de root de aaron.

Paramètre « Diffie Hellman »

Enfin, nous créons sur aaron (le serveur), un paramètre « Diffie Hellman » au moyen d'OpenSSL, qui servira à générer les clés de session. En effet, la cryptographie « asymétrique », très gourmande en ressources, n'est utilisée que dans la phase d'authentification et d'établissement du tunnel. Par la suite, les données sont chiffrées de manière symétrique avec une clé partagée, communiquée par le serveur au client (à travers un chiffrement asymétrique, bien entendu). 

aaron:~# openssl dhparam -out dh1024.pem 1024
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..................................

Et quelques (parfois très longues) minutes plus tard, nous avons le fichier : 

aaron:~# cat dh1024.pem
-----BEGIN DH PARAMETERS-----
MIGHAoGBANcTIW0XcvuNDSgK+KiS0rmo14zHNxnMK3IHjvWCqjJL8F0+nwFKvLql
FBggAoL1Si+4iuVJoZU3T4H/tsGlsayvWF1l4PNVuaenER2bhIDeFNGx1A/WbYmK
1JNOVpyfwC/i1fv1L/8bpzrjGsgl4GIy8sKzJt+PXRcV61fcJIM7AgEC
-----END DH PARAMETERS-----

Celui là, on ne pourra pas dire qu'il a été écrit à la légère.

Le tunnel final

La ligne de commande va commencer à être longue…

Sur aaron

C'est le serveur. 

aaron:~# openvpn --port 8147 --dev tun1 --ifconfig 192.168.25.1 192.168.25.2 --comp-lzo --verb 5 --tls-server --dh dh1024.pem --ca bts.eme-cacert.pem --cert aaron.bts.eme.pem --key aaron.bts.eme-key.pem --reneg-sec 21600

Ce qui nous dit : 

Sat Nov 15 18:49:41 2008 us=923686 Current Parameter Settings:
Sat Nov 15 18:49:41 2008 us=924704   config = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=924953   mode = 0
Sat Nov 15 18:49:41 2008 us=925180   persist_config = DISABLED
Sat Nov 15 18:49:41 2008 us=925410   persist_mode = 1
Sat Nov 15 18:49:41 2008 us=925635   show_ciphers = DISABLED
Sat Nov 15 18:49:41 2008 us=925862   show_digests = DISABLED
Sat Nov 15 18:49:41 2008 us=926087   show_engines = DISABLED
Sat Nov 15 18:49:41 2008 us=926314   genkey = DISABLED
Sat Nov 15 18:49:41 2008 us=926542   key_pass_file = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=926771   show_tls_ciphers = DISABLED
Sat Nov 15 18:49:41 2008 us=927001   proto = 0
Sat Nov 15 18:49:41 2008 us=927226   local = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=927452   remote_list = NULL
Sat Nov 15 18:49:41 2008 us=927679   remote_random = DISABLED
Sat Nov 15 18:49:41 2008 us=927909   local_port = 8147
Sat Nov 15 18:49:41 2008 us=928155   remote_port = 8147
Sat Nov 15 18:49:41 2008 us=928381   remote_float = DISABLED
Sat Nov 15 18:49:41 2008 us=928688   ipchange = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=928925   bind_local = ENABLED
Sat Nov 15 18:49:41 2008 us=929153   dev = 'tun1'
Sat Nov 15 18:49:41 2008 us=929381   dev_type = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=929608   dev_node = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=929832   tun_ipv6 = DISABLED
Sat Nov 15 18:49:41 2008 us=930059   ifconfig_local = '192.168.25.1'
Sat Nov 15 18:49:41 2008 us=930303   ifconfig_remote_netmask = '192.168.25.2'
Sat Nov 15 18:49:41 2008 us=930536   ifconfig_noexec = DISABLED
Sat Nov 15 18:49:41 2008 us=930765   ifconfig_nowarn = DISABLED
Sat Nov 15 18:49:41 2008 us=930995   shaper = 0
Sat Nov 15 18:49:41 2008 us=931222   tun_mtu = 1500
Sat Nov 15 18:49:41 2008 us=931452   tun_mtu_defined = ENABLED
Sat Nov 15 18:49:41 2008 us=931683   link_mtu = 1500
Sat Nov 15 18:49:41 2008 us=931909   link_mtu_defined = DISABLED
Sat Nov 15 18:49:41 2008 us=932140   tun_mtu_extra = 0
Sat Nov 15 18:49:41 2008 us=932365   tun_mtu_extra_defined = DISABLED
Sat Nov 15 18:49:41 2008 us=932635   fragment = 0
Sat Nov 15 18:49:41 2008 us=932866   mtu_discover_type = -1
Sat Nov 15 18:49:41 2008 us=933092   mtu_test = 0
Sat Nov 15 18:49:41 2008 us=933317   mlock = DISABLED
Sat Nov 15 18:49:41 2008 us=933545   keepalive_ping = 0
Sat Nov 15 18:49:41 2008 us=933772   keepalive_timeout = 0
Sat Nov 15 18:49:41 2008 us=933999   inactivity_timeout = 0
Sat Nov 15 18:49:41 2008 us=934227   ping_send_timeout = 0
Sat Nov 15 18:49:41 2008 us=934452   ping_rec_timeout = 0
Sat Nov 15 18:49:41 2008 us=934679   ping_rec_timeout_action = 0
Sat Nov 15 18:49:41 2008 us=934921   ping_timer_remote = DISABLED
Sat Nov 15 18:49:41 2008 us=935153   remap_sigusr1 = 0
Sat Nov 15 18:49:41 2008 us=935381   explicit_exit_notification = 0
Sat Nov 15 18:49:41 2008 us=935609   persist_tun = DISABLED
Sat Nov 15 18:49:41 2008 us=935837   persist_local_ip = DISABLED
Sat Nov 15 18:49:41 2008 us=936065   persist_remote_ip = DISABLED
Sat Nov 15 18:49:41 2008 us=936294   persist_key = DISABLED
Sat Nov 15 18:49:41 2008 us=936521   mssfix = 1450
Sat Nov 15 18:49:41 2008 us=936787   passtos = DISABLED
Sat Nov 15 18:49:41 2008 us=937016   resolve_retry_seconds = 1000000000
Sat Nov 15 18:49:41 2008 us=937245   connect_retry_seconds = 5
Sat Nov 15 18:49:41 2008 us=937473   username = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=937700   groupname = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=937926   chroot_dir = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=938157   cd_dir = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=938385   writepid = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=938612   up_script = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=938839   down_script = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=939065   down_pre = DISABLED
Sat Nov 15 18:49:41 2008 us=939291   up_restart = DISABLED
Sat Nov 15 18:49:41 2008 us=939518   up_delay = DISABLED
Sat Nov 15 18:49:41 2008 us=939743   daemon = DISABLED
Sat Nov 15 18:49:41 2008 us=939970   inetd = 0
Sat Nov 15 18:49:41 2008 us=940195   log = DISABLED
Sat Nov 15 18:49:41 2008 us=940422   suppress_timestamps = DISABLED
Sat Nov 15 18:49:41 2008 us=940692   nice = 0
Sat Nov 15 18:49:41 2008 us=940919   verbosity = 5
Sat Nov 15 18:49:41 2008 us=941146   mute = 0
Sat Nov 15 18:49:41 2008 us=941372   gremlin = 0
Sat Nov 15 18:49:41 2008 us=941611   status_file = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=941840   status_file_version = 1
Sat Nov 15 18:49:41 2008 us=942066   status_file_update_freq = 60
Sat Nov 15 18:49:41 2008 us=942292   occ = ENABLED
Sat Nov 15 18:49:41 2008 us=942520   rcvbuf = 65536
Sat Nov 15 18:49:41 2008 us=942747   sndbuf = 65536
Sat Nov 15 18:49:41 2008 us=942975   socks_proxy_server = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=943205   socks_proxy_port = 0
Sat Nov 15 18:49:41 2008 us=943431   socks_proxy_retry = DISABLED
Sat Nov 15 18:49:41 2008 us=943660   fast_io = DISABLED
Sat Nov 15 18:49:41 2008 us=943887   comp_lzo = ENABLED
Sat Nov 15 18:49:41 2008 us=944114   comp_lzo_adaptive = ENABLED
Sat Nov 15 18:49:41 2008 us=944345   route_script = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=944614   route_default_gateway = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=944852   route_noexec = DISABLED
Sat Nov 15 18:49:41 2008 us=945081   route_delay = 0
Sat Nov 15 18:49:41 2008 us=945309   route_delay_window = 30
Sat Nov 15 18:49:41 2008 us=945534   route_delay_defined = DISABLED
Sat Nov 15 18:49:41 2008 us=945764   management_addr = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=945995   management_port = 0
Sat Nov 15 18:49:41 2008 us=946221   management_user_pass = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=946452   management_log_history_cache = 250
Sat Nov 15 18:49:41 2008 us=946683   management_echo_buffer_size = 100
Sat Nov 15 18:49:41 2008 us=946911   management_query_passwords = DISABLED
Sat Nov 15 18:49:41 2008 us=947139   management_hold = DISABLED
Sat Nov 15 18:49:41 2008 us=947369   shared_secret_file = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=947599   key_direction = 0
Sat Nov 15 18:49:41 2008 us=947842   ciphername_defined = ENABLED
Sat Nov 15 18:49:41 2008 us=948074   ciphername = 'BF-CBC'
Sat Nov 15 18:49:41 2008 us=948302   authname_defined = ENABLED
Sat Nov 15 18:49:41 2008 us=948809   authname = 'SHA1'
Sat Nov 15 18:49:41 2008 us=949054   keysize = 0
Sat Nov 15 18:49:41 2008 us=949281   engine = DISABLED
Sat Nov 15 18:49:41 2008 us=949509   replay = ENABLED
Sat Nov 15 18:49:41 2008 us=949738   mute_replay_warnings = DISABLED
Sat Nov 15 18:49:41 2008 us=949970   replay_window = 64
Sat Nov 15 18:49:41 2008 us=950198   replay_time = 15
Sat Nov 15 18:49:41 2008 us=950424   packet_id_file = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=950654   use_iv = ENABLED
Sat Nov 15 18:49:41 2008 us=950882   test_crypto = DISABLED
Sat Nov 15 18:49:41 2008 us=951109   tls_server = ENABLED
Sat Nov 15 18:49:41 2008 us=951336   tls_client = DISABLED
Sat Nov 15 18:49:41 2008 us=951569   key_method = 2
Sat Nov 15 18:49:41 2008 us=951797   ca_file = 'bts.eme-cacert.pem'
Sat Nov 15 18:49:41 2008 us=952028   dh_file = 'dh1024.pem'
Sat Nov 15 18:49:41 2008 us=952256   cert_file = 'aaron.bts.eme.pem'
Sat Nov 15 18:49:41 2008 us=952485   priv_key_file = 'aaron.bts.eme-key.pem'
Sat Nov 15 18:49:41 2008 us=952760   pkcs12_file = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=952987   cipher_list = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=953214   tls_verify = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=953442   tls_remote = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=953669   crl_file = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=953898   ns_cert_type = 0
Sat Nov 15 18:49:41 2008 us=954127   tls_timeout = 2
Sat Nov 15 18:49:41 2008 us=954356   renegotiate_bytes = 0
Sat Nov 15 18:49:41 2008 us=954584   renegotiate_packets = 0
Sat Nov 15 18:49:41 2008 us=954826   renegotiate_seconds = 21600
Sat Nov 15 18:49:41 2008 us=955057   handshake_window = 60
Sat Nov 15 18:49:41 2008 us=955285   transition_window = 3600
Sat Nov 15 18:49:41 2008 us=955513   single_session = DISABLED
Sat Nov 15 18:49:41 2008 us=955743   tls_exit = DISABLED
Sat Nov 15 18:49:41 2008 us=955971   tls_auth_file = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=956283   server_network = 0.0.0.0
Sat Nov 15 18:49:41 2008 us=956530   server_netmask = 0.0.0.0
Sat Nov 15 18:49:41 2008 us=956810   server_bridge_ip = 0.0.0.0
Sat Nov 15 18:49:41 2008 us=957049   server_bridge_netmask = 0.0.0.0
Sat Nov 15 18:49:41 2008 us=957288   server_bridge_pool_start = 0.0.0.0
Sat Nov 15 18:49:41 2008 us=957527   server_bridge_pool_end = 0.0.0.0
Sat Nov 15 18:49:41 2008 us=957758   ifconfig_pool_defined = DISABLED
Sat Nov 15 18:49:41 2008 us=957997   ifconfig_pool_start = 0.0.0.0
Sat Nov 15 18:49:41 2008 us=958249   ifconfig_pool_end = 0.0.0.0
Sat Nov 15 18:49:41 2008 us=958487   ifconfig_pool_netmask = 0.0.0.0
Sat Nov 15 18:49:41 2008 us=958717   ifconfig_pool_persist_filename = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=958952   ifconfig_pool_persist_refresh_freq = 600
Sat Nov 15 18:49:41 2008 us=959185   ifconfig_pool_linear = DISABLED
Sat Nov 15 18:49:41 2008 us=959417   n_bcast_buf = 256
Sat Nov 15 18:49:41 2008 us=959647   tcp_queue_limit = 64
Sat Nov 15 18:49:41 2008 us=959875   real_hash_size = 256
Sat Nov 15 18:49:41 2008 us=960104   virtual_hash_size = 256
Sat Nov 15 18:49:41 2008 us=960332   client_connect_script = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=960565   learn_address_script = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=960836   client_disconnect_script = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=961068   client_config_dir = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=961302   ccd_exclusive = DISABLED
Sat Nov 15 18:49:41 2008 us=961532   tmp_dir = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=961760   push_ifconfig_defined = DISABLED
Sat Nov 15 18:49:41 2008 us=962000   push_ifconfig_local = 0.0.0.0
Sat Nov 15 18:49:41 2008 us=962238   push_ifconfig_remote_netmask = 0.0.0.0
Sat Nov 15 18:49:41 2008 us=962467   enable_c2c = DISABLED
Sat Nov 15 18:49:41 2008 us=962694   duplicate_cn = DISABLED
Sat Nov 15 18:49:41 2008 us=962921   cf_max = 0
Sat Nov 15 18:49:41 2008 us=963150   cf_per = 0
Sat Nov 15 18:49:41 2008 us=963379   max_clients = 1024
Sat Nov 15 18:49:41 2008 us=963609   max_routes_per_client = 256
Sat Nov 15 18:49:41 2008 us=963839   client_cert_not_required = DISABLED
Sat Nov 15 18:49:41 2008 us=964069   username_as_common_name = DISABLED
Sat Nov 15 18:49:41 2008 us=964300   auth_user_pass_verify_script = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=964545   auth_user_pass_verify_script_via_file = DISABLED
Sat Nov 15 18:49:41 2008 us=964847   client = DISABLED
Sat Nov 15 18:49:41 2008 us=965048   pull = DISABLED
Sat Nov 15 18:49:41 2008 us=965250   auth_user_pass_file = '[UNDEF]'
Sat Nov 15 18:49:41 2008 us=965456 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007
Sat Nov 15 18:49:42 2008 us=15536 Diffie-Hellman initialized with 1024 bit key
Sat Nov 15 18:49:42 2008 us=21069 LZO compression initialized
Sat Nov 15 18:49:42 2008 us=21975 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Nov 15 18:49:42 2008 us=72086 TUN/TAP device tun1 opened
Sat Nov 15 18:49:42 2008 us=72501 TUN/TAP TX queue length set to 100
Sat Nov 15 18:49:42 2008 us=72890 ifconfig tun1 192.168.25.1 pointopoint 192.168.25.2 mtu 1500
Sat Nov 15 18:49:42 2008 us=87489 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Nov 15 18:49:42 2008 us=88034 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.2 192.168.25.1,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sat Nov 15 18:49:42 2008 us=88289 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.1 192.168.25.2,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sat Nov 15 18:49:42 2008 us=88685 Local Options hash (VER=V4): '40c5ad26'
Sat Nov 15 18:49:42 2008 us=88966 Expected Remote Options hash (VER=V4): 'b7094d11'
Sat Nov 15 18:49:42 2008 us=89285 Socket Buffers: R=[110592->131072] S=[110592->131072]
Sat Nov 15 18:49:42 2008 us=89823 UDPv4 link local (bound): [undef]:8147
Sat Nov 15 18:49:42 2008 us=90054 UDPv4 link remote: [undef]

Sur cyclope

C'est le client 

cyclope:~# openvpn --remote 82.127.57.95  --port 8147 --dev tun1 --ifconfig 192.168.25.2 192.168.25.1 --comp-lzo --verb 5 --tls-client --ca bts.eme-cacert.pem --cert cyclope.maison.mrs.pem --key cyclope.maison.mrs-key.pem 


Sat Nov 15 18:55:03 2008 us=70505 Current Parameter Settings:
Sat Nov 15 18:55:03 2008 us=72038   config = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=72781   mode = 0
Sat Nov 15 18:55:03 2008 us=73464   persist_config = DISABLED
Sat Nov 15 18:55:03 2008 us=74166   persist_mode = 1
Sat Nov 15 18:55:03 2008 us=74853   show_ciphers = DISABLED
Sat Nov 15 18:55:03 2008 us=75617   show_digests = DISABLED
Sat Nov 15 18:55:03 2008 us=76425   show_engines = DISABLED
Sat Nov 15 18:55:03 2008 us=77118   genkey = DISABLED
Sat Nov 15 18:55:03 2008 us=77810   key_pass_file = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=78515   show_tls_ciphers = DISABLED
Sat Nov 15 18:55:03 2008 us=79374   proto = 0
Sat Nov 15 18:55:03 2008 us=80071   local = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=80886   remote_list[0] = {'82.127.57.95', 8147}
Sat Nov 15 18:55:03 2008 us=81641   remote_random = DISABLED
Sat Nov 15 18:55:03 2008 us=82336   local_port = 8147
Sat Nov 15 18:55:03 2008 us=83033   remote_port = 8147
Sat Nov 15 18:55:03 2008 us=84055   remote_float = DISABLED
Sat Nov 15 18:55:03 2008 us=84570   ipchange = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=84953   bind_local = ENABLED
Sat Nov 15 18:55:03 2008 us=85293   dev = 'tun1'
Sat Nov 15 18:55:03 2008 us=86334   dev_type = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=86994   dev_node = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=87748   tun_ipv6 = DISABLED
Sat Nov 15 18:55:03 2008 us=88442   ifconfig_local = '192.168.25.2'
Sat Nov 15 18:55:03 2008 us=89163   ifconfig_remote_netmask = '192.168.25.1'
Sat Nov 15 18:55:03 2008 us=89688   ifconfig_noexec = DISABLED
Sat Nov 15 18:55:03 2008 us=90204   ifconfig_nowarn = DISABLED
Sat Nov 15 18:55:03 2008 us=91041   shaper = 0
Sat Nov 15 18:55:03 2008 us=91799   tun_mtu = 1500
Sat Nov 15 18:55:03 2008 us=92494   tun_mtu_defined = ENABLED
Sat Nov 15 18:55:03 2008 us=93193   link_mtu = 1500
Sat Nov 15 18:55:03 2008 us=93887   link_mtu_defined = DISABLED
Sat Nov 15 18:55:03 2008 us=94587   tun_mtu_extra = 0
Sat Nov 15 18:55:03 2008 us=95535   tun_mtu_extra_defined = DISABLED
Sat Nov 15 18:55:03 2008 us=96226   fragment = 0
Sat Nov 15 18:55:03 2008 us=96917   mtu_discover_type = -1
Sat Nov 15 18:55:03 2008 us=97432   mtu_test = 0
Sat Nov 15 18:55:03 2008 us=97944   mlock = DISABLED
Sat Nov 15 18:55:03 2008 us=98458   keepalive_ping = 0
Sat Nov 15 18:55:03 2008 us=98613   keepalive_timeout = 0
Sat Nov 15 18:55:03 2008 us=98719   inactivity_timeout = 0
Sat Nov 15 18:55:03 2008 us=98822   ping_send_timeout = 0
Sat Nov 15 18:55:03 2008 us=98924   ping_rec_timeout = 0
Sat Nov 15 18:55:03 2008 us=99027   ping_rec_timeout_action = 0
Sat Nov 15 18:55:03 2008 us=99128   ping_timer_remote = DISABLED
Sat Nov 15 18:55:03 2008 us=99295   remap_sigusr1 = 0
Sat Nov 15 18:55:03 2008 us=99401   explicit_exit_notification = 0
Sat Nov 15 18:55:03 2008 us=99502   persist_tun = DISABLED
Sat Nov 15 18:55:03 2008 us=99604   persist_local_ip = DISABLED
Sat Nov 15 18:55:03 2008 us=99705   persist_remote_ip = DISABLED
Sat Nov 15 18:55:03 2008 us=99806   persist_key = DISABLED
Sat Nov 15 18:55:03 2008 us=99910   mssfix = 1450
Sat Nov 15 18:55:03 2008 us=100010   passtos = DISABLED
Sat Nov 15 18:55:03 2008 us=100116   resolve_retry_seconds = 1000000000
Sat Nov 15 18:55:03 2008 us=100220   connect_retry_seconds = 5
Sat Nov 15 18:55:03 2008 us=100322   username = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=100425   groupname = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=100708   chroot_dir = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=100831   cd_dir = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=100937   writepid = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=101038   up_script = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=101141   down_script = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=101243   down_pre = DISABLED
Sat Nov 15 18:55:03 2008 us=101344   up_restart = DISABLED
Sat Nov 15 18:55:03 2008 us=101447   up_delay = DISABLED
Sat Nov 15 18:55:03 2008 us=101548   daemon = DISABLED
Sat Nov 15 18:55:03 2008 us=101650   inetd = 0
Sat Nov 15 18:55:03 2008 us=101750   log = DISABLED
Sat Nov 15 18:55:03 2008 us=101852   suppress_timestamps = DISABLED
Sat Nov 15 18:55:03 2008 us=101955   nice = 0
Sat Nov 15 18:55:03 2008 us=102056   verbosity = 5
Sat Nov 15 18:55:03 2008 us=102158   mute = 0
Sat Nov 15 18:55:03 2008 us=102258   gremlin = 0
Sat Nov 15 18:55:03 2008 us=102358   status_file = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=102462   status_file_version = 1
Sat Nov 15 18:55:03 2008 us=102566   status_file_update_freq = 60
Sat Nov 15 18:55:03 2008 us=102667   occ = ENABLED
Sat Nov 15 18:55:03 2008 us=102769   rcvbuf = 65536
Sat Nov 15 18:55:03 2008 us=102871   sndbuf = 65536
Sat Nov 15 18:55:03 2008 us=102973   socks_proxy_server = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=103078   socks_proxy_port = 0
Sat Nov 15 18:55:03 2008 us=103234   socks_proxy_retry = DISABLED
Sat Nov 15 18:55:03 2008 us=103346   fast_io = DISABLED
Sat Nov 15 18:55:03 2008 us=103448   comp_lzo = ENABLED
Sat Nov 15 18:55:03 2008 us=103551   comp_lzo_adaptive = ENABLED
Sat Nov 15 18:55:03 2008 us=103654   route_script = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=103758   route_default_gateway = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=103860   route_noexec = DISABLED
Sat Nov 15 18:55:03 2008 us=103964   route_delay = 0
Sat Nov 15 18:55:03 2008 us=104066   route_delay_window = 30
Sat Nov 15 18:55:03 2008 us=104167   route_delay_defined = DISABLED
Sat Nov 15 18:55:03 2008 us=104271   management_addr = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=104376   management_port = 0
Sat Nov 15 18:55:03 2008 us=104477   management_user_pass = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=104582   management_log_history_cache = 250
Sat Nov 15 18:55:03 2008 us=104687   management_echo_buffer_size = 100
Sat Nov 15 18:55:03 2008 us=104789   management_query_passwords = DISABLED
Sat Nov 15 18:55:03 2008 us=104892   management_hold = DISABLED
Sat Nov 15 18:55:03 2008 us=104996   shared_secret_file = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=105101   key_direction = 0
Sat Nov 15 18:55:03 2008 us=105207   ciphername_defined = ENABLED
Sat Nov 15 18:55:03 2008 us=105313   ciphername = 'BF-CBC'
Sat Nov 15 18:55:03 2008 us=105418   authname_defined = ENABLED
Sat Nov 15 18:55:03 2008 us=105522   authname = 'SHA1'
Sat Nov 15 18:55:03 2008 us=105628   keysize = 0
Sat Nov 15 18:55:03 2008 us=105730   engine = DISABLED
Sat Nov 15 18:55:03 2008 us=109467   replay = ENABLED
Sat Nov 15 18:55:03 2008 us=109904   mute_replay_warnings = DISABLED
Sat Nov 15 18:55:03 2008 us=110259   replay_window = 64
Sat Nov 15 18:55:03 2008 us=111754   replay_time = 15
Sat Nov 15 18:55:03 2008 us=112450   packet_id_file = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=113148   use_iv = ENABLED
Sat Nov 15 18:55:03 2008 us=113838   test_crypto = DISABLED
Sat Nov 15 18:55:03 2008 us=114529   tls_server = DISABLED
Sat Nov 15 18:55:03 2008 us=115306   tls_client = ENABLED
Sat Nov 15 18:55:03 2008 us=115980   key_method = 2
Sat Nov 15 18:55:03 2008 us=116674   ca_file = 'bts.eme-cacert.pem'
Sat Nov 15 18:55:03 2008 us=117377   dh_file = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=118067   cert_file = 'cyclope.maison.mrs.pem'
Sat Nov 15 18:55:03 2008 us=118769   priv_key_file = 'cyclope.maison.mrs-key.pem'
Sat Nov 15 18:55:03 2008 us=119534   pkcs12_file = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=120226   cipher_list = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=120918   tls_verify = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=121610   tls_remote = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=121769   crl_file = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=122060   ns_cert_type = 0
Sat Nov 15 18:55:03 2008 us=122174   tls_timeout = 2
Sat Nov 15 18:55:03 2008 us=122281   renegotiate_bytes = 0
Sat Nov 15 18:55:03 2008 us=122389   renegotiate_packets = 0
Sat Nov 15 18:55:03 2008 us=122496   renegotiate_seconds = 3600
Sat Nov 15 18:55:03 2008 us=122604   handshake_window = 60
Sat Nov 15 18:55:03 2008 us=122709   transition_window = 3600
Sat Nov 15 18:55:03 2008 us=122813   single_session = DISABLED
Sat Nov 15 18:55:03 2008 us=122918   tls_exit = DISABLED
Sat Nov 15 18:55:03 2008 us=123024   tls_auth_file = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=123350   server_network = 0.0.0.0
Sat Nov 15 18:55:03 2008 us=123480   server_netmask = 0.0.0.0
Sat Nov 15 18:55:03 2008 us=123599   server_bridge_ip = 0.0.0.0
Sat Nov 15 18:55:03 2008 us=123716   server_bridge_netmask = 0.0.0.0
Sat Nov 15 18:55:03 2008 us=123835   server_bridge_pool_start = 0.0.0.0
Sat Nov 15 18:55:03 2008 us=123954   server_bridge_pool_end = 0.0.0.0
Sat Nov 15 18:55:03 2008 us=124061   ifconfig_pool_defined = DISABLED
Sat Nov 15 18:55:03 2008 us=124180   ifconfig_pool_start = 0.0.0.0
Sat Nov 15 18:55:03 2008 us=124299   ifconfig_pool_end = 0.0.0.0
Sat Nov 15 18:55:03 2008 us=124455   ifconfig_pool_netmask = 0.0.0.0
Sat Nov 15 18:55:03 2008 us=124574   ifconfig_pool_persist_filename = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=124683   ifconfig_pool_persist_refresh_freq = 600
Sat Nov 15 18:55:03 2008 us=124790   ifconfig_pool_linear = DISABLED
Sat Nov 15 18:55:03 2008 us=124897   n_bcast_buf = 256
Sat Nov 15 18:55:03 2008 us=125005   tcp_queue_limit = 64
Sat Nov 15 18:55:03 2008 us=125109   real_hash_size = 256
Sat Nov 15 18:55:03 2008 us=125214   virtual_hash_size = 256
Sat Nov 15 18:55:03 2008 us=125321   client_connect_script = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=125429   learn_address_script = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=125536   client_disconnect_script = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=125642   client_config_dir = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=125747   ccd_exclusive = DISABLED
Sat Nov 15 18:55:03 2008 us=125851   tmp_dir = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=125955   push_ifconfig_defined = DISABLED
Sat Nov 15 18:55:03 2008 us=126075   push_ifconfig_local = 0.0.0.0
Sat Nov 15 18:55:03 2008 us=126193   push_ifconfig_remote_netmask = 0.0.0.0
Sat Nov 15 18:55:03 2008 us=126299   enable_c2c = DISABLED
Sat Nov 15 18:55:03 2008 us=126403   duplicate_cn = DISABLED
Sat Nov 15 18:55:03 2008 us=126509   cf_max = 0
Sat Nov 15 18:55:03 2008 us=126612   cf_per = 0
Sat Nov 15 18:55:03 2008 us=126718   max_clients = 1024
Sat Nov 15 18:55:03 2008 us=126826   max_routes_per_client = 256
Sat Nov 15 18:55:03 2008 us=126931   client_cert_not_required = DISABLED
Sat Nov 15 18:55:03 2008 us=127037   username_as_common_name = DISABLED
Sat Nov 15 18:55:03 2008 us=127144   auth_user_pass_verify_script = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=127317   auth_user_pass_verify_script_via_file = DISABLED
Sat Nov 15 18:55:03 2008 us=127426   client = DISABLED
Sat Nov 15 18:55:03 2008 us=127529   pull = DISABLED
Sat Nov 15 18:55:03 2008 us=127633   auth_user_pass_file = '[UNDEF]'
Sat Nov 15 18:55:03 2008 us=127747 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007
Sat Nov 15 18:55:03 2008 us=128224 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Nov 15 18:55:03 2008 us=193832 LZO compression initialized
Sat Nov 15 18:55:03 2008 us=215986 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Nov 15 18:55:03 2008 us=274091 TUN/TAP device tun1 opened
Sat Nov 15 18:55:03 2008 us=275033 TUN/TAP TX queue length set to 100
Sat Nov 15 18:55:03 2008 us=275779 ifconfig tun1 192.168.25.2 pointopoint 192.168.25.1 mtu 1500
Sat Nov 15 18:55:03 2008 us=467561 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Nov 15 18:55:03 2008 us=468607 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.1 192.168.25.2,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sat Nov 15 18:55:03 2008 us=469420 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.2 192.168.25.1,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sat Nov 15 18:55:03 2008 us=470311 Local Options hash (VER=V4): 'b7094d11'
Sat Nov 15 18:55:03 2008 us=471125 Expected Remote Options hash (VER=V4): '40c5ad26'
Sat Nov 15 18:55:03 2008 us=472024 Socket Buffers: R=[110592->131072] S=[110592->131072]
Sat Nov 15 18:55:03 2008 us=472741 UDPv4 link local (bound): [undef]:8147
Sat Nov 15 18:55:03 2008 us=473457 UDPv4 link remote: 82.127.57.95:8147
WRSat Nov 15 18:55:03 2008 us=566989 TLS: Initial packet from 82.127.57.95:8147, sid=fa310697 a7811164
WWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRSat Nov 15 18:55:04 2008 us=947948 VERIFY OK: depth=1, /C=FR/ST=Bouches_du_Rhone/L=Marseille/O=EME/OU=EME/CN=rootCA.bts.eme/emailAddress=sysop@bts.eme
Sat Nov 15 18:55:04 2008 us=963876 VERIFY OK: depth=0, /C=FR/ST=Bouches_du_Rhone/L=Marseille/O=EME/OU=EME/CN=aaron.bts.eme/emailAddress=sysop@bts.eme
WRWRWRWRWRWRWRWRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRRWWWWRRRRWRWRSat Nov 15 18:55:07 2008 us=57442 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 15 18:55:07 2008 us=58073 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 15 18:55:07 2008 us=59658 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 15 18:55:07 2008 us=60217 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
WSat Nov 15 18:55:07 2008 us=62054 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Sat Nov 15 18:55:07 2008 us=62827 [aaron.bts.eme] Peer Connection Initiated with 82.127.57.95:8147
Sat Nov 15 18:55:08 2008 us=235349 Initialization Sequence Completed
Sitôt que le client se connecte au serveur, il obtient le certificat de aaron et vérifie qu'il est bien signé par la CA. Il doit se passer aussi des choses sur aaron concernant l'identité de cyclope : 
RSat Nov 15 18:55:11 2008 us=189661 TLS: Initial packet from 82.229.41.132:8147, sid=66df4f24 9bbda6c9
WRRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRSat Nov 15 18:55:14 2008 us=507464 VERIFY OK: depth=1, /C=FR/ST=Bouches_du_Rhone/L=Marseille/O=EME/OU=EME/CN=rootCA.bts.eme/emailAddress=sysop@bts.eme
Sat Nov 15 18:55:14 2008 us=517805 VERIFY OK: depth=0, /C=FR/ST=Bouches_du_Rhone/L=Marseille/O=EME/OU=EME/CN=cyclope.maison.mrs/emailAddress=sysop@maison.mrs
WRWRWRWRWRWRWRWRWRWRWRSat Nov 15 18:55:14 2008 us=697312 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 15 18:55:14 2008 us=697683 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 15 18:55:14 2008 us=698267 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 15 18:55:14 2008 us=698533 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
WWWRRRSat Nov 15 18:55:14 2008 us=775185 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Sat Nov 15 18:55:14 2008 us=775576 [cyclope.maison.mrs] Peer Connection Initiated with 80.8.135.67:8147
Sat Nov 15 18:55:15 2008 us=812670 Initialization Sequence Completed
Effectivement il y a bien authentification mutuelle des deux bouts du tunnel.

Conclusion presque finale

Nous disposons désormais d'un tunnel chiffré, où chaque extrémité sait authentifier l'autre bout. En réalité, il ne fait que vérifier que le certificat présenté par l'autre bout est bien signé par la CA connue (directive –ca).

Avant de mettre en production, il serait peut-être bon de durcir encore un peu plus ce tunnel, si c'est possible.